Nixpkgs security tracker

Login with GitHub

Published issues

All published security issues are tracked and resolved on GitHub.

NIXPKGS-2026-1396
published 1 month, 2 weeks ago
Permalink CVE-2026-42235
updated 1 month, 2 weeks ago by @LeSuisse Activity log
  • Created suggestion 1 month, 3 weeks ago
  • @LeSuisse ignored
    3 packages
    • n8n-nodes-carbonejs
    • n8n-nodes-evolution-api
    • n8n-task-runner-launcher
    1 month, 2 weeks ago
  • @LeSuisse accepted 1 month, 2 weeks ago
  • @LeSuisse published on GitHub 1 month, 2 weeks ago

n8n: XSS via MCP OAuth client

n8n
  • ==>= 2.17.0, < 2.17.4
  • ==>= 2.18.0, < 2.18.1
  • ==< 1.123.32
NIXPKGS-2026-1395
published 1 month, 2 weeks ago
Permalink CVE-2026-7776
7.5 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): None (N)
  • Integrity (I): None (N)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): None (N)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): High (H)
updated 1 month, 2 weeks ago by @LeSuisse Activity log
  • Created suggestion 1 month, 3 weeks ago
  • @LeSuisse ignored package akkuPackages.chibi-char-set-boundary 1 month, 2 weeks ago
  • @LeSuisse accepted 1 month, 2 weeks ago
  • @LeSuisse published on GitHub 1 month, 2 weeks ago

Boundary Workers Vulnerable to Denial of Service During TLS Handshake

Boundary
  • <0.21.3
Boundary Enterprise
  • <0.21.3
NIXPKGS-2026-1394
published 1 month, 2 weeks ago
Permalink CVE-2026-7723
7.3 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): Low (L)
  • Integrity (I): Low (L)
  • Availability (A): Low (L)
  • Exploit Code Maturity (E): Proof-of-Concept (P)
  • Remediation Level (RL): Official Fix (O)
  • Report Confidence (RC): Confirmed (C)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): Low (L)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): Low (L)
  • Modified Availability (MA): Low (L)
updated 1 month, 2 weeks ago by @LeSuisse Activity log

PrefectHQ prefect WebSocket Endpoint in missing authentication

prefect
  • ==3.6.14
  • ==3.6.11
  • ==3.6.2
  • ==3.6.13
  • ==3.6.4
  • ==3.6.9
  • ==3.6.8
  • ==3.6.0
  • ==3.6.10
  • ==3.6.12
  • ==3.6.1
  • ==3.6.3
  • ==3.6.5
  • ==3.6.7
  • ==3.6.6
NIXPKGS-2026-1393
published 1 month, 2 weeks ago
Permalink CVE-2026-7779
4.3 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): None (N)
  • Integrity (I): None (N)
  • Availability (A): Low (L)
  • Exploit Code Maturity (E): Proof-of-Concept (P)
  • Remediation Level (RL): Not Defined (X)
  • Report Confidence (RC): Reasonable (R)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): None (N)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): Low (L)
updated 1 month, 2 weeks ago by @LeSuisse Activity log

Open5GS authentication-subscription Endpoint nudr-handler.c udm_nudr_dr_handle_subscription_authentication denial of service

Open5GS
  • ==2.7.1
  • ==2.7.4
  • ==2.7.7
  • ==2.7.0
  • ==2.7.3
  • ==2.7.5
  • ==2.7.6
  • ==2.7.2
NIXPKGS-2026-1392
published 1 month, 2 weeks ago
Permalink CVE-2026-42230
updated 1 month, 2 weeks ago by @LeSuisse Activity log
  • Created suggestion 1 month, 3 weeks ago
  • @LeSuisse ignored
    3 packages
    • n8n-nodes-carbonejs
    • n8n-nodes-evolution-api
    • n8n-task-runner-launcher
    1 month, 2 weeks ago
  • @LeSuisse accepted 1 month, 2 weeks ago
  • @LeSuisse published on GitHub 1 month, 2 weeks ago

n8n: Open Redirect in MCP OAuth Consent Flow

n8n
  • ==>= 2.17.0, < 2.17.4
  • ==< 1.123.32
  • ==>= 2.18.0, < 2.18.1
NIXPKGS-2026-1390
published 1 month, 2 weeks ago
Permalink CVE-2026-42229
updated 1 month, 2 weeks ago by @LeSuisse Activity log
  • Created suggestion 1 month, 3 weeks ago
  • @LeSuisse ignored
    3 packages
    • n8n-nodes-carbonejs
    • n8n-nodes-evolution-api
    • n8n-task-runner-launcher
    1 month, 2 weeks ago
  • @LeSuisse accepted 1 month, 2 weeks ago
  • @LeSuisse published on GitHub 1 month, 2 weeks ago

n8n: SQL Injection in SeaTable Node

n8n
  • ==>= 2.17.0, < 2.17.4
  • ==< 1.123.32
  • ==>= 2.18.0, < 2.18.1
NIXPKGS-2026-1389
published 1 month, 2 weeks ago
Permalink CVE-2026-42144
6.1 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Local (L)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): Required (R)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): None (N)
  • Integrity (I): Low (L)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Local (L)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): Required (R)
  • Modified Confidentiality (MC): None (N)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): Low (L)
  • Modified Availability (MA): High (H)
updated 1 month, 2 weeks ago by @LeSuisse Activity log
  • Created suggestion 1 month, 3 weeks ago
  • @LeSuisse accepted 1 month, 2 weeks ago
  • @LeSuisse published on GitHub 1 month, 2 weeks ago

CImg Library: Integer overflow in PNM size check bypasses memory guard (_load_pnm)

CImg
  • ==< 4ca26bce4d8c61fcd1507d5f9401b9fb1222c27d
NIXPKGS-2026-1391
published 1 month, 2 weeks ago
Permalink CVE-2026-42234
updated 1 month, 2 weeks ago by @LeSuisse Activity log
  • Created suggestion 1 month, 3 weeks ago
  • @LeSuisse ignored
    3 packages
    • n8n-nodes-carbonejs
    • n8n-nodes-evolution-api
    • n8n-task-runner-launcher
    1 month, 2 weeks ago
  • @LeSuisse accepted 1 month, 2 weeks ago
  • @LeSuisse published on GitHub 1 month, 2 weeks ago

n8n: Python Task Runner Sandbox Escape

n8n
  • ==>= 2.17.0, < 2.17.4
  • ==>= 2.18.0, < 2.18.1
  • ==< 1.123.32
NIXPKGS-2026-1388
published 1 month, 2 weeks ago
Permalink CVE-2026-7535
4.3 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): None (N)
  • Integrity (I): None (N)
  • Availability (A): Low (L)
  • Exploit Code Maturity (E): Proof-of-Concept (P)
  • Remediation Level (RL): Not Defined (X)
  • Report Confidence (RC): Reasonable (R)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): None (N)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): Low (L)
updated 1 month, 2 weeks ago by @LeSuisse Activity log

Open5GS transfer-update denial of service

Open5GS
  • ==2.7.1
  • ==2.7.4
  • ==2.7.7
  • ==2.7.0
  • ==2.7.3
  • ==2.7.5
  • ==2.7.6
  • ==2.7.2
NIXPKGS-2026-1387
published 1 month, 2 weeks ago
Permalink CVE-2026-7724
5.0 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): High (H)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): Low (L)
  • Integrity (I): Low (L)
  • Availability (A): Low (L)
  • Exploit Code Maturity (E): Proof-of-Concept (P)
  • Remediation Level (RL): Official Fix (O)
  • Report Confidence (RC): Confirmed (C)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): High (H)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): Low (L)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): Low (L)
  • Modified Availability (MA): Low (L)
updated 1 month, 2 weeks ago by @LeSuisse Activity log

PrefectHQ prefect Webhook/Notification validate_restricted_url toctou

prefect
  • ==3.6.28.dev2
  • ==3.6.28.dev1